Tencent Security Xuanwu Lab Daily News
• ConferenceTalks/BecomeLoadbalancer_TR22.pdf:
https://github.com/n0x08/ConferenceTalks/blob/master/BecomeLoadbalancer_TR22.pdf
・ Become Load balancer,Owner of Your Network,来自 TROOPERS22 会议
– Jett
• GitHub – secretflow/secretflow: A unified framework for privacy-preserving data analysis and machine learning:
https://github.com/secretflow/secretflow
・ SecretFlow – 在隐私保护基础上的数据分析和机器学习框架
– Jett
• Exploiting Arbitrary Object Instantiations in PHP without Custom Classes:
https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
・ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes
– Jett
• GitHub – sourceincite/randy: A pre-authenticated RCE exploit for Inductive Automation Ignition:
https://github.com/sourceincite/randy
・ Inductive Ignition 工控方案 pre-authenticated RCE Exploit,这个漏洞被用于参加 Pwn2Own Miami 2022 比赛
– Jett
• ida_bochs_windows:
https://github.com/therealdreg/ida_bochs_windows
・ IDA Pro 调试 Windows 内核的辅助脚本
– Jett
• Tableau Server Leaks Sensitive Information From Reflected XSS:
https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-information-from-reflected-xss/
・ 利用反射式 XSS 漏洞从 Tableau Server 数据分析平台泄露敏感信息
– Jett
• CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability:
https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-network-file-system-v4-remote-code-execution-vulnerability
・ Windows 网络文件系统 NFSv4 处理请求时的 RCE 漏洞分析(CVE-2022-30136)
– Jett
• Researching access tokens for fun and knowledge:
https://www.huntandhackett.com/blog/researching-access-tokens-for-fun-and-knowledge
・ JSON Web Tokens 与 Azure Key Vaults 研究
– Jett
• 2278 – project-zero – Project Zero – Monorail:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2278
・ Issue 2278: Windows: LSA Service LsapGetClientInfo Impersonation Level Check EoP
– Jett
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(07-15)
